Integrating with Splunk

If you use Splunk or other log management tool, it is possible to export the alert logs from Sucuri’s WAF directly via syslog (UDP). This option is only available for customers on the CloudProxy Enterprise plan.

Configuring Splunk

To get started, you need to go to your Splunk dashboard and setup a new data input (under Settings->Data Input). In there, choose an UDP input and create a new listener on any port you wish. This document from Splunk explains how to do so:

Receiving Sucuri Events

Once you have your Splunk dashboard configured, you need to contact Sucuri’s support team or account manager and provide them with the following information:

Sucuri will configure the forwarder on their end within 24 hours and start sending the alerts to your server. They will also provide their IP address to be allowed (every other should be blocked on that specific listener).

Alert format

The alerts will be send via the Syslog format, following the OSSEC alert structure: